ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Libewf" and "User:Alex116"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Creating user page with biography of new user.)
Line 1: Line 1:
{{Infobox_Software |
  name = libewf |
  maintainer = [[Joachim Metz]], [[David Loveall]] |
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
  genre = {{Disk imaging}} |
  license = {{LGPL}} |
  website = [] |
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
== History ==
Libewf was created by [[Joachim Metz]] in 2006, while working for [ Hoffmann Investigations].
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [ Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.
In 2007 [[David Loveall]] contributed to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
== Tools ==
The '''libewf''' package contains the following tools:
* '''ewfacquire''' and '''ewfacquire''', which writes storage media data from a device handle EWF files.
* '''ewfexport''', which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of EWF files.
* '''ewfinfo''', which shows the metadata in EWF files.
* '''ewfverify''', which verifies the storage media data in EWF files.
* '''''', which allows the storage media data in a EWF files to be mounted.
[[Dennis Schreiber]] created a menu based interface for ewfacquirestream called pyEWF. However this seems currently not to be maintained.
== Examples ==
Imaging a device on a Unix-based system:
ewfacquire /dev/sda
Imaging a device on a Windows system:
ewfacquire \\.\PhysicalDrive0
Converting a split RAW into an EWF image
ewfacquire split.raw.???
cat split.raw.??? | ewfacquirestream
Converting an EWF into another EWF format or a (split) RAW image
ewfexport image.E01
== External Links ==
* [ libewf project site]
* [ old libewf project site]

Latest revision as of 16:26, 28 March 2011